SAP GRC Access Control

Protect information and prevent fraud

May 2008

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.

SAP 2008 / Page 2

Fragmentation

Managing with confidence is difficult in an increasingly complex world

Human Capital Risk

SOX

JSOX

FDA

ROHS WEEE

Segregation of Duties

Credit Risk

Project Risk

U.S.

Governance
Germany Japan U.K. France China Canada India Risk Mgmt.

Compliance Governance

Board of Directors Finance

Compliance Compliance Compliance

Risk Mgmt. Risk Mgmt.

Legal Sales Contracts HR

Compliance
Risk Mgmt.

Controller IT

Governance

Risk Mgmt.

Compliance Governance
Risk Mgmt.

Policy Mgmt. Audit & Compliance Treasury

Security

Proj. Mgmt.

Doc. Mgmt.

Contracts Planning Customers

ERP

Production

Billing

SAP 2008 / Page 3

Integrated GRC

Forward looking organizations are seeking a unified approach to GRC

ROHS WEEE Human Capital Risk

SOX

JSOX

FDA

Segregation Of Duties

Credit Risk

Project Risk

U.S.

Governance
Germany Japan U.K. France China Canada India Risk Mgmt.

Compliance Governance

Board of Directors Finance

Compliance Compliance Compliance

Risk Mgmt. Risk Mgmt.

Legal Sales Contracts HR

Compliance
Risk Mgmt.

Controller IT

Governance

Risk Mgmt.

Compliance Governance
Risk Mgmt.

Policy Mgmt. Audit & Compliance Treasury

Security

Proj. Mgmt.

Doc. Mgmt.

Contracts Planning Customers

ERP

Production

Billing

SAP 2008 / Page 4

Access and Authorization Risks

Managing access risks is everyones job
Board, Audit Committee Reactive approach

Executives & Managers

SALARIES

Responsibility for Segregation of Duties?

Finance 5% of annual revenue lost to fraud1 Human Resources Inefficient & noncompliant employee provisioning and deprovisioning Operations Uncontrolled role management

Internal Audit Time and effort for audits IT Operations Manual, error-prone administration Information Security No monitoring of sensitive transactions

Supply Chain
SAP 2008 / Page 5

Customers & Channel

1 Association of Certified Fraud Examiners, 2006 Report to the Nation on Occupational Fraud and Abuse

Access And Authorization Management

Overcome fragmentation, gain comprehensive access control
Board, Audit Committee Preventive approach Internal Audit Lower cost of audit and audit-related fees IT Operations Improve efficiency by automating core compliance/security tasks Information Security Sensitive transaction monitoring
SALARIES

Executives & Managers Manage Compliance With Confidence

Finance Vulnerability to unwanted financial activity fixed Human Resources Efficient and compliant user provisioning Operations Compliant, rolebased access control

Supply Chain

Customers & Channel

SAP 2008 / Page 6

Compliance Trends

Gartners 2007 Planning Guidance for Compliance

By 2010, auditors will expect regulated organizations to detect fraud by performing transaction monitoring on a continuous basis, and 60% of regulated firms will have such an automated process in place1 The broader market for GRC products will subsume this market by 2010, and SoD controls will be offered primarily as embedded capabilities in GRC products/suites (0.8 probability). 1 Process owners are looking to simplify and reduce the cost of compliance 2 Spending on security, segregation of duties, and other solutions that support controls monitoring and automation will increase 2

1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007 2 Gartner The 2006 Planning Guidance for Compliance: Risk-Orientation, Standardization, and Automation, April 2006
SAP 2008 / Page 7

Governance, Risk, Compliance - required to establish Corporate Accountability

SAP GRC Risk Management

Aggregated Detection of Risks and Control Monitoring

Provides a unified, business-user focused approach Organizes all compliance requirements Creates a common method to measure risks Ensures strategy considers risks Implements and monitors controls in business processes Detects and alerts to exceptions for risks and controls Promotes sustainable operations

SAP GRC Global Trade Services

Streamline Trade Compliance

SAP Environment, Health & Safety Compliance Management

Ensure EH&S Oversight

SAP GRC Access Control

Secure SOD & Compliant IDM/Provisioning

SAP GRC Process Control

Control Monitoring for Business Processes

SAP 2008 / Page 8

SAP GRC Access Control

Control Access and Authorizations Across Your Enterprise

Document and Audit

Streamline audits

Provide proof

Automate Reviews

Protect information and prevent fraud

Automatically eliminate access and authorization risks with out-of-the-box rules Enforce segregation of duties across applications and departments

Analyze and Remediate

Analyze and remediate risk

Manage by exception

Collaborate across functions

Prevent improper access instead of reacting to problems

Optimize operations
Automate segregation of duties management Automate access management
Embed cross-function
FIN SCM SRM MFG HR

Promote IT and Line of Business collaboration Enforce accountability with review and approval processes Ease compliance and avoid authorization risk

Embed and Execute

Superuser Compliant privilege user management provisioning

Embed cross-platform

Minimize time and cost for financial compliance

Provide proof and reliability with control tests and audit trail for SOD controls Report and review key risk indicators for system access

SAP 2008 / Page 9

Model and Control

SoD Rules & Regulations Corporate Policies Best Practices

Enterprise role management

Identity Management

SAP GRC Access Control

Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

Continuous Access Management

Effective Management Oversight and Audit

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

SAP 2008 / Page 10

SAP GRC Access Control

Minimal time to compliance

Get Clean
Risk Analysis and Remediation

SAP 2008 / Page 11

SAP GRC Access Control

Continuous access management

Stay Clean
Compliant User Provisioning Superuser Privilege Management Enterprise Role Management

Get Clean
Risk Analysis and Remediation

SAP 2008 / Page 12

SAP GRC Access Control

Effective management oversight and audit

Stay in Control
Management Oversight Internal Audit

Stay Clean
Compliant User Provisioning Superuser Privilege Management Enterprise Role Management

Get Clean
Risk Analysis and Remediation

SAP 2008 / Page 13

Risk Analysis, Remediation, and Prevention Services

Deliver 24/7, real-time compliance by stopping security and controls violations before they occur

Access Risks Services

Risk Identification

Real-time SOD Risk Analysis Critical Transaction Monitoring Cross-Application Integration Remediation Management Mitigation Management Alerts Framework Reporting Real-time Simulation Mandatory Prevention

Common services across all SAP GRC Access Control capabilities

Prevention

Reporting

Elimination

Access Risks Library

Rules

Cross-Enterprise Rules Database Cross-Enterprise Rules Architect

SAP GRC Access Control, with its comprehensive preconfigured rule set, reflected deep expertise within SAP that would have taken us a very long time to replicate.
Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.

SAP 2007-2008 SAP 2008 / Page 14 / Page 14

Risk Analysis and Remediation

Getting Clean

Initial Risk Analysis and Remediation

Facilitates collaboration between Business and IT to clean up access risks

Access Risk Identification

Risk Identification

Access Risk Elimination Risk Elimination

End-to-End Automation
The cleanup process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.
Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.

Reporting Reporting

Prevention Prevention

SAP 2007-2008 SAP 2008 / Page 15 / Page 15

Enterprise Role Definition

Enables enterprise role definition and maintenance in a single location

Centralized Role Management

Reduce cost of role maintenance Ease compliance and avoid authorization risk Eliminate errors and enforce best practices Assure audit-ready traceability and security checks New role mapping of business roles to technical roles with SAP GRC Access Control 5.3

Enterprise Rules

SAP GRC Access Control

Audit log

Across applications

Role

Role

Role

Role

Role

Role

Role

Role

Compliant enterprise roles

28% time savings in role management

Customer Survey, 3/2006

SAP 2007-2008 SAP 2008 / Page 16 / Page 16

Compliant User Provisioning

Problem: Inefficient and unauditable user provisioning

Current approachinefficient, not compliant

Access request e-mail

e-mail

Manager approval

Role owner spreadsheets, paper forms spreadsheets, paper forms IT security

Manual provisioning

SAP 2008 / Page 17

Compliant User Provisioning

Enables compliant end-to-end provisioning hire to retire

Compliant provisioning with dynamic workflow

HR event Employee hired/retired Mgr approval Request generated 100% automated Path workflowbased on request type and user attributes Via e-mail Escalation workflow Risk analysis One-click preventive simulation Exception workflow Automated provisioning

Embed cross-enterprise preventive compliance in business process Reduce cost of user administration Improve productivity of end users Provide auditable tracking for auditors

100% automated

We reduced provisioning from 2 weeks to 2 days

Web Seminar Rockwell Collins, 3/2005

SAP 2007-2008 SAP 2008 / Page 18 / Page 18

Superuser Privilege Management

Enables compliance-focused emergency access for SAP ERP

Compliant super user access Superuser

Close #1 open audit issue Avoid business obstructions with faster emergency response Reduce audit time

SAP_ALL
New session
Firecall ID SD

Reduce time to perform critical tasks

New session
Firecall ID

New session
Firecall ID MM

New session
Firecall ID FICO

Log

Log

Log

Log

Preassigned FireFighter IDs Access restrictions Validity dates Field-level changes tracked in audit log

Super users and auditors love it

Web Seminar Lincoln Electric, 3/2006

SAP 2007-2008 SAP 2008 / Page 19 / Page 19

Management Oversight and Audits

Periodic reviews; comprehensive and efficient audits

Review Emergency Access

Review User Provisioning

Equips internal and external auditors to complete comprehensive and efficient testing

Management
Review Potential Risks Review Policy

Saves audit and audit-related fees

Review Actual Risks

1) Validate via sampling that changes to access were appropriately authorized

Management by exception Automated, pre-built access controls reporting Review of roles, users and mitigation controls
2) Validate that segregation of duties risks are appropriately mitigated on a sample basis

Internal Audit

SAP 2007-2008 SAP 2008 / Page 20 / Page 20

Comprehensive Access Controls

Enables business managers, auditors, and IT security to collaborate

Owner

Key Areas
Access Risk Identification and Elimination Role Design And Management Compliant User Provisioning Privileged User Access Collaboration Business and IT Periodic Access Review Audit Cycle Management

SAP Benefits
Identification and elimination of
Potential access risks (e.g. segregation of duties violations) and Actual risks (e.g. sensitive transaction monitoring)

Real-time detective and preventive controls cross-enterprise SoD-compliant role-design and management to address the root of the problem Efficient and SoD-compliant user provisioning and de-provisioning from hire to retire Efficient and effective superuser privilege management, with tracking of all activity Enabling business to take accountability for access Automated, pre-built access controls reporting Review of roles, users and mitigation controls Provide documentation to help validate that the business team is following the control process

Business Users

IT Security Management Oversight Internal Audit

SAP 2008 / Page 21

GRC Management by Exception

Turning regulatory requirements into strategic advantage

GRC Spend

Increase transparency
Savings for Innovation

CO

ST

Gain flexibility and speed Lower cost of audit and audit-related fees Achieve higher confidence

Manual Efforts

Compliance Managemen t by Exception Embedded Compliance Common Foundation

Multiple Tools
Today

Tomorrow

SAP 2008 / Page 22

Cross-Enterprise Solution

Identify and remediate conflicts across functions and applications

Cross-Enterprise GRC

Hire-to-Retire

Cross-Functional

Reconcile-to-Report Procure-to-Pay Order-to-Cash Production-to-Delivery

Cross-Application
SAP 2007-2008 SAP 2008 / Page 23 / Page 23

Cross-Enterprise Capabilities

SAP GRC Access Control delivers best practice SoD rules library

SAP

Oracle

PeopleSoft

JD Edwards

HR Procure to Pay Order to Cash Finance

General Accounting Project Systems Fixed Assets

HR Procure to Pay Order to Cash Finance

General Accounting Project Systems Fixed Assets

HR Procure to Pay Order to Cash Finance

General Accounting Fixed Assets

HR/Payroll Procure to Pay Order to Cash Finance

General Accounting

Consolidations

System Administration

Basis, Security and System Administration Materials Management APO SRM CRM Consolidations

System Administration

SAP 2008 / Page 24

Business and IT Collaboration

Enabling Business to Take Accountability for Access

Business

IT

Make decisions

Enable decisions

SAP GRC Access Control enables crucial collaboration Business owns the responsibility for Segregation of Duties IT understands the technology to grant or revoke user access

SAP 2008 / Page 25

BusinessDriven Identity Management

SAP addresses compliance issues across the organization

CFO
Business Controls

CIO
Systems Access

SAP GRC Access Control

Identity Management

User provisioning Risk analysis Audit and compliance, including audit repository Approval workflows Privilege management for business transactions
SAP 2007-2008 SAP 2008 / Page 26 / Page 26

Additional user provisioning Identity synchronization and virtualization Privilege management for applications and resources

SAP will offer an integrated solution

SAP GRC Access Control 5.3

Identity management integration

SAP GRC Access Control approach to Identity management:

Identity Management

Applications
SAP Netweaver IdM IBM SUN

HR HR HR

Self-service

SAP GRC Access Control

authoritative Authoritative source source

Risk analysis Compliant user and remediation provisioning

Enterprise Superuser Auditing and role privilege review management management

SAP_ALL

SAP 2007-2008 SAP 2008 / Page 27 / Page 27

What our customers say

Preventive

SAP GRC Access Control delivers value

Proactive
We used to be in a reaction mode with SAP GRC Access Control we are now in a proactive mode.

A key internal control in any organization is segregation of duties (SoD), which is arduous to achieve manually with all the different transactional access available in SAP software. SAP GRC Access Control automated this function and enabled us to change our process and implement a preventive solution for future ongoing compliance.

Easy
SAP GRC Access Control is easy to implement, and easy to use, and most importantly gives us the ability to ensure we meet regulatory requirements with minimal impact on our staff and business operations.

Automated
We clearly would not have been as successful without this application, in terms of our external reporting requirements for the SEC and the Public Company Accounting Oversight Board.

Effective and Efficient

The SAP applications not only help to ensure good governance and compliance, they also reduce the effort involved so that our people can focus on the business.

SAP 2008 / Page 28

Proven results for customers

Customers report significant reductions in compliance cost and labor

Reduction in time spent on external/internal audit Reduction in internal/ external audit costs Reduction in time spent managing authorization risk Reduction in costs for managing user authorization risk Reduction in time spent making changes to users and roles Reduction in time required to clean up audit report findings for security 0% 5% 10% 15%

30% 25%

32% 28%

28% 31%
20% 25% 30% 35% 40% 45%

Average value reported

Source: Customer Survey, March 2006

(Number of responses = 130)

SAP 2008 / Page 29

Gartner Strong Positive

SAP GRC Access Control receives highest rating from Gartner1

Rating
Strong Negative Caution Promising Positive Strong Positive

About SAP GRC Access Control SAP is the only vendor with a Gartner recommends rating in all technique categories (Static analysis, provisioning support, integrated provisioning workflow, transaction monitoring and emergency access) offers one of the strongest product sets in our analysis, comprehensively addressing all SoD issues across multiple SAP instances. capable of running on multiple ERP platforms

1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007

SAP 2008 / Page 30

References

Delivering real world value to our customers

Real-World Value

Saved time and costs, with single, integrated system

Faster approval of access and authorization requests

GTS and Access Control part of a large solution selected over Oracle / Hyperion

Enforce key SOD control at lowest total cost of ownership

Created a highly responsive audit environment that enables rapid response and remediation to SOD issues

Improved strategy for resolving SOD conflict problems

Achieved ROI in less than 3 months through productivity improvements and reduced audit costs

89% reduction in administrative costs due to self-service workflow

Established audit response processes to minimize audit time and cost

SAP 2007-2008 SAP 2008 / Page 31 / Page 31

Synopsys, Inc.

SAP 2008 / Page 32

Canadian Pacific Railway

SAP 2008 / Page 33

Canadian Pacific Railway

SAP 2008 / Page 34

Bacardi

SAP 2008 / Page 35

Printronix
Company Location Industry Products/Services Printronix Irvine, California High Tech Global enterprise printing solutions for industrial manufacturing and distribution supply chain $128 million 785 www.printronix.com Virsa Compliance Calibrator

Revenue Employees Web Site SAP Solutions and Services

Virsa Compliance Calibrator is easy to implement and easy to use, and most importantly gives us the ability to ensure we meet regulatory requirements with minimal impact on our staff and business operations.
Kate Squyres Manager, IT Compliance Printronix

Challenges and Opportunities

Ensure the company has the internal control environment for financial statements to be in compliance with latest regulatory disclosure requirements Minimize time and cost of annual audits

Why SAP
Virsa Compliance Calibrator is integrated to SAP ERP, enabling streamlined, real-time review of security set-up Depth of functionality and ease of use

Objectives
Enable compliance that is easy to implement and readily accepted by the audit community Implement a solution that is easy to use by business process owners and has minimal impact on IT resources

Benefits
Established readily accepted, audit response processes that have minimized audit time and cost Created a highly responsive audit environment that enables rapid response and remediation to Segregation of Duty (SoD) violations

Implementation Highlights
Implementation was completed on time and within budget; total time to completion was less than six months and met end-of-year audit requirements

SAP 2008 / Page 36

Xerox Europe

SAP 2008 / Page 37

Wolverine
Company Location Industry Products/Services Revenue Employees Web Site Wolverine World Wide, Inc. Rockford, Michigan Consumer Products Apparel and accessories $1 Billion 4,500 www.wolverineworldwide.com

The SAP application has given the security team a method to quickly identify risks within the system. The simulation feature has been a significant tool to aid in conflict mitigation.
Kiki Lown, Director of Compliance & Administration, Wolverine World Wide, Inc.

SAP Solutions and Services SAP Solutions for Governance, Risk and Compliance; Virsa Compliance Calibrator Partner PricewaterhouseCoopers

Integration with SAP applications helps speed implementation Difficulty documenting Segregation of Duties (SoD) controls SAP GRC solutions give Wolverine compliance managers the ability to identify conflicts Assessing & monitoring internal controls takes significant time Satisfies compliance audit requirements Home-grown solutions are inconsistent and not Alleviates concerns about data integrity comprehensive Benefits Compliance requires high level of change Simplified compliance with Sarbanes-Oxley management Reduced consulting and audit effort and cost Objectives Reduced time needed to make user profile changes Segregation of duty capabilities Improved ability to develop strategy for resolving SoD Sarbanes-Oxley Section 302/404 Compliance conflict problems Risk management Enabled implementation of governance best practices Real-time detection of violations Reduced internal efforts to maintain, control and perform analysis Implementation Highlights Ability to run simulations by user role Compliance Calibrator implemented in two weeks

Challenges and Opportunities

Why SAP

SAP 2008 / Page 38

Resources

www.sap.com/GRC Solutions for automated end-to-end GRC Processes www.sap.com/solutions/grc/accessandauthorization/index.epx SAP GRC Access Control www.sap.com/solutions/grc/brochures/index.epx SAP Solutions for GRC: Brochures & whitepapers www.sap.com/solutions/grc/demos/index.epx SAP Solutions for GRC: Demos

SAP 2007-2008 SAP 2008 / Page 39 / Page 39

SAP Solutions for Governance, Risk, and Compliance